usb: dfu: rework of dfu class implementation

[mrrosen]

To improve the usability and flexibility of the USB DFU class, some fixes and changes were implemented:

1. Added separate Kconfig variables for idVendor and idProduct when running in DFU mode as required by USB DFU 1.1 specification (Ch 2) since keeping the same values for these fields can lead to host OS caching of descriptors and not properly updating the configuration descriptor once in DFU mode.
2. Leverage Zephyr's devicetree-defined flash partitions to also define the alternates for USB DFU, allowing for flashing of images and data to more than just the image-1 used by mcuboot, making the class much more dynamic. It also enforces the read-only property of the partitions to prevent writing to partitions that arent supposed to be written to (this is actually a more general problem in the flash APIs right now ignoring this property)
3. Fix a few other minor issues, adding timeout timer for appDETACH, moved the time when the descriptor table changes in DFU mode, etc.

[jfischer-no]

Please separate it into smaller self-contained commits, describe the reason for the changes in the commits message. Please do not make style fixes.

[jfischer-no]

NACK for CONFIG_USB_DEVICE_DFU_VID, this is no required and not "considered necessary"

[jfischer-no]

Also NACK for CONFIG_USB_DEVICE_DFU_PID, "considered necessary" is not a must. Which OS did you observe the problems with?

[mrrosen]

Windows 10, dfu-util 0.9

[mrrosen]

The exact behavior is that the tool cannot find the device in DFU mode after USB reset because of OS-level caching of descriptors (from that Ch2 of the specification, its actually considered "necessary" to change the VID/PID). If you try again, the tool is able to preform DFU operations since the device is doing the correct thing.

[jfischer-no]

You can not assign 0x0101 here. There is a list of assigned PID, samples/subsys/usb/usb_pid.Kconfig. However, I do not think this is necessary at all.

[mrrosen]

Default PID is assigned in subsys/usb/Kconfig, thats what this is based off of. While a different PID between runtime mode and DFU mode is required by the specification and does have issues on Windows 10 (see other comments), we can have a single VID. I was just providing for maximum flexibility by creating new Kconfig variables for DFU mode descriptors.

[jfischer-no]

The one from subsys/usb/Kconfig is leftover before samples/subsys/usb/usb_pid.Kconfig was inserted. Please assign the value 0xffff for now.

[jfischer-no]

Please do not make style fixes along with other changes. These were not necessary here either.

[jfischer-no]

I see no benefit in using Doxygen for internal functions.

[mrrosen]

Some (not all) internal helper functions in this file had Doxygen comments, should they be added for new helper functions then or not?

[jfischer-no]

Please not for internal functions, I do not know why people do it.

[jfischer-no]

Convert to using DT should be done in separate commit (b). However why must all partitions (mcuboot?, image-0, image-1, image-scratch?, storage?) be exposed? I can not think of a good reason for this. This should remain limited for image-0 or image-0 + image-1.

[mrrosen]

mcuboot is probably never needed, however, its possible any number of additional partitions for file systems and other storage might want to be accessed or preflashed along with an OS image. Thats the motivation behind this change; and exposing all partitions is a simpler solution than trying to figure out which a user would want to expose. An alternative would be to add to device tree to add a flag to determine which partitions want to be exposed, but I didnt adding all that complexity was necessary.

[jfischer-no]

Well this implementation depends on image manager and mcuboot. Not only is it not necessary to expose all partitions, it is also confusing for the user and probably not desired by the developer.

[de-nordic]

The problem with generating descriptors for all partitions is that it bloats binary with code that will never be accessed in most cases, for example when user only wants to dfu the image-1 or image-2.

You may, for example, be out of flash on mcuboot partition, when trying to link DFU to mcuboot.

[mrrosen]

True that it does some additional data to the image that would not be used (the changes to the actual code arent significant in terms of code size). However, the additional descriptors really dont cost much memory (9 bytes for interface descriptor, 2 + 2 * strlen(partition-name) bytes for the string descriptors; so assuming a generous 5 extra partitions not used at all by DFU and a length of 15 characters, thats 5*(9 + 2 + 2 * 15) = 205 bytes, which is certainly not zero but compared to whats being added to the image when enabling USB and whats usually required for the image to use mcuboot with USB (32-64KiB) its not a very significant change. If this is a major concern, I would instead propose adding to device tree a marker for which partitions are desired to be accessed over DFU instead of hard limiting it to just image-1 or image-0 in single slot mode.
I agree there are some dependencies on the image manager than I did not entirely remove. Since there is alot of discussion around this topic; I think it would be better to split this PR between the parts fixing issues and the parts implementing the partitions rework (I will split up the commits as @jfischer-no suggested), or is it preferred each fix/commit be a separate PR?

[de-nordic]

Yes, do separate commits.
Maybe we should add 'upgreadable' property to elements of 'fixed-partitions' and generate the descriptors only for these partitions that are marked as upgredable, dfuable or whatever property there will be.
The ~200 does not seem much but the space in mcuboot partitions starts to get tight and if we can shave something off easily, why not do it?

[jfischer-no]

Do TODO or remove this comment.

[jfischer-no]

This change should be done in separate commit (c)

[jfischer-no]

Should be done in separate commit (d)

[jfischer-no]

This change should be done in separate commit (e)

[nvlsianpu]

I blocked merge until I understood what is changing here.

[de-nordic]

Unless the read-only property is really implemented, I see no reason for these to be here.
The idea is OK, but if it is TODO, it should get separate PR with proposed implementation.

[de-nordic]

I think that it current state, this should be RFC.

[nvlsianpu]

What is user-case for this change? Currently boot_request_upgrade() is no-op if image_1 dosen't exist (so USB DFU is build in the MCUBoot for this case). It is the operation for dual-bank mode. Dual-XIP support is in progress - but mean also no-op for this function.

[nvlsianpu]

typo DFU_DNLOAD -> DFU_DOWNLOAD

[mrrosen]

All the other print messages use DFU_DNLOAD, should they all be DF_DOWNLOAD?

[nvlsianpu]

DFU_DNLOAD is a DFU class request. Maybe:

Suggested change

	LOG_ERR("DFU_DNLOAD area is readonly");
	LOG_ERR("DFU_DNLOAD write area is readonly");

[nvlsianpu]

This is not a minor rework.

[mrrosen]

As mentioned above, there is a lot more discussion that needs to happen around the partition mapping; however there are a number of minor fixes also in this PR. So, I think its best if we split the PR between those actually minor fixes and the move to using the device tree partition map for USB DFU. As also mentioned, is it preferred by the code owners if those fixes are each a small PR or one PR?

[mrrosen]

All the other fixes have been moved to their own PR: #30611
How best should be handle the discussion in this thread for opening up DFU to more partitions? Continue this PR, open a new PR, open an issue for discussion?

[nvlsianpu]

My opinion is that rest can be continued here.

[mrrosen]

After a bit of thought on this (and coming back to it), I think there are two ways to go about adding the additional functionality while providing the control needed to minimize the number of partitions exposed, both leveraging devicetree:

1. Add to the partition table a few new labels to the partitions themselves (like what @de-nordic suggested) and have something like dfu-access with values "readonly" (can only be uploaded, like "image-0" now), "readwrite" (can be uploaded/downloaded, like "image-1" now), "hidden" (isnt accessible via dfu at all, like everything else now, so would be the default). To accommodate downloads to partitions that arent images (for example, loading prebuilt filesystems), another label should be added to handle what should happen during manifest, for mcuboot images, this is a call to boot_request_upgrade, so something like "dfu-manifest-action" with values "none" (default), "mcuboot", and allowing for expansion later if other post-processing steps are needed for other bootloaders/partitions.

partitions {
		compatible = "fixed-partitions";
		#address-cells = <1>;
		#size-cells = <1>;

		boot_partition: partition@0 {
			label = "mcuboot";
			reg = <0x00000000 0xc000>;
		};
		slot0_partition: partition@c000 {
			label = "image-0";
			reg = <0x0000C000 0x32000>;
			dfu-access = "readonly";
		};
		slot1_partition: partition@3e000 {
			label = "image-1";
			reg = <0x0003E000 0x32000>;
			dfu-access = "readwrite";
			dfu-manifest-action = "mcuboot";
		};
		scratch_partition: partition@70000 {
			label = "image-scratch";
			reg = <0x00070000 0xa000>;
		};
		storage_partition: partition@7a000 {
			label = "storage";
			reg = <0x0007a000 0x00006000>;
			dfu-access = "readwrite";
		};
	};

2. Instead of adding these to the partition table device tree, instead do something like what the USB audio class does and have the USB DFU class have its own set of device tress configurations settings as a child of the USB controller (maybe all USB classes should be this way, so descriptor tables/class configuration come more from device tree instead of all from Kconfig?). In this system, there are similar tags to the partitions but is instead but in one place associated with the DFU class and not mixed in with the partition table:

&usbd {
	dfu {
		label = "usb-dfu";
		compatible = "usb-dfu";

		alt_image_0 {
			partition = &slot0_partition;
			read-only;
		};
		alt_image_1 {
			partition = &slot1_partition;
			manifest-action = "mcuboot";
		};
		alt_storage {
			partition = &storage_partition;
		};
	};
};

[jfischer-no]

Instead of adding these to the partition table device tree, instead do something like what the USB audio class does and have the USB DFU class have its own set of device tress configurations settings as a child of the USB controller (maybe all USB classes should be this way, so descriptor tables/class configuration come more from device tree instead of all from Kconfig?).

No, I do not think it is a good idea. DT for audio is temporary solution and please do not use it as an example. And we do not obtain "descriptor tables" from from Kconfig.
I think in the opposite direction. Maybe it should not come preconfigured from the USB DFU implementation which partition is exposed, but the application (developer/user) should determine which partitions should be used. Before the USB start (usb_enable()) the partitions would be registered in the USB DFU core, possibly with appropriate flags (R|RW). But that would consume a little more flash.

[mrrosen]

@jfischer-no Do you mean for applications to each make their own version of the secondary descriptor table and set a pointer for the dfu implementation to use at runtime? With helper macros that would certainly be one way to do it, but now any application wanting to use DFU would have to include this macro (unless there is a default one in the DFU implementation folder).

[mrrosen]

@jfischer-no If its supposed to be user configurable (in code rather than DTS), it gets a bit messy to do while still ensuring the descriptors end up in the readonly section and dont consume RAM; since the descriptors need to change based on what partitions the user selects. As I mentioned above, we can generate them all using macros (not complete):

typedef void (*dfu_manifest_action_t)(uint8_t);
struct _dfu_partition {
  uint8_t area;
  uint8_t perm;
  dfu_manifest_action_t manifest_action;
};

#define USB_DFU_PARTITION_LIST0(v) {.area = FLASH_AREA_ID(v),
#define USB_DFU_PARTITION_LIST1(v) .perm = (v),
#define USB_DFU_PARTITION_LIST2(v) .manifest_action = (v)},
#define USB_DFU_PARTITION_LIST3(V) USB_DFU_PARTITION_LIST0(v)
#define USB_DFU_PARTITION_LIST4(v) USB_DFU_PARTITION_LIST1(v)
...
#define USB_DFU_PARTITION_LIST(i, v) UTIL_CAT(USB_DFU_PARTITION_LIST, i)(v)

#define USB_DFU_DESCRIPTOR_DEF0(v) struct usb_if_descriptor if0;
#define USB_DFU_DESCRIPTOR_DEF1(v) EMPTY
#define USB_DFU_DESCRIPTOR_DEF2(v) EMPTY
#define USB_DFU_DESCRIPTOR_DEF3(v) struct usb_if_descriptor if1;
...
#define USB_DFU_DESCRIPTOR_DEF(i, v) UTIL_CAT(USB_DFU_DESCRIPTOR_DEF, i)(v)

#define USB_DFU_DESCRIPTOR_INIT0(v) .if0 = { \
			.bLength = sizeof(struct usb_if_descriptor), \
			.bDescriptorType = USB_INTERFACE_DESC, \
			.bInterfaceNumber = 0, \
			.bAlternateSetting = 0, \
			.bNumEndpoints = 0, \
			.bInterfaceClass = DFU_DEVICE_CLASS, \
			.bInterfaceSubClass = DFU_SUBCLASS, \
			.bInterfaceProtocol = DFU_MODE_PROTOCOL, \
			.iInterface = 4, \
		},
#define USB_DFU_DESCRIPTOR_INIT1(v) EMPTY
#define USB_DFU_DESCRIPTOR_INIT2(v) EMPTY
#define USB_DFU_DESCRIPTOR_INIT3(v) .if1 = { \
			.bLength = sizeof(struct usb_if_descriptor), \
			.bDescriptorType = USB_INTERFACE_DESC, \
			.bInterfaceNumber = 0, \
			.bAlternateSetting = 1, \
			.bNumEndpoints = 0, \
			.bInterfaceClass = DFU_DEVICE_CLASS, \
			.bInterfaceSubClass = DFU_SUBCLASS, \
			.bInterfaceProtocol = DFU_MODE_PROTOCOL, \
			.iInterface = 5, \
		},
...
#define USB_DFU_DESCRIPTOR_INIT(i, v) UTIL_CAT(USB_DFU_DESCRIPTOR_INIT, i)(v)

#define USB_DFU_PARTITIONS(...) \
  struct _dfu_partition _dfu_partitions[] = { \
    FOR_EACH_IDX(USB_DFU_PARTITION_LIST, (,), LIST_DROP_EMPTY(__VA_ARGS__)) \
  }; \
  struct struct dev_dfu_mode_descriptor { \
    struct usb_device_descriptor device_descriptor; \
	  struct usb_cfg_descriptor cfg_descr; \
	  struct usb_sec_dfu_config { \
      FOR_EACH_IDX(USB_DFU_DESCRIPTOR_DEF, (;), LIST_DROP_EMPTY(__VA_ARGS__)) \
      struct dfu_runtime_descriptor dfu_descr; \
    } __packed sec_dfu_cfg; \
  } __packed; \
  USBD_DEVICE_DESCR_DEFINE(secondary) \
  struct dev_dfu_mode_descriptor dfu_mode_desc = { \
    .device_descriptor = { \
      ... \
    }, \
    .cfg_descr = { \
      ... \
    }, \
    .sec_dfu_cfg = {
      FOR_EACH_IDX(USB_DFU_DESCRIPTOR_INIT, (,), LIST_DROP_EMPTY(__VA_ARGS__)) \
      .dfu_descr = { \
        ... \
      }, \
    }, \
  }; \
  ... // Same for string descriptors
  
USB_DFU_PARTITIONS(image_0, DFU_READ, NULL,
                   image_1, DFU_READ | DFU_WRITE, DFU_MANIFEST_MCUBOOT,
                   storage, DFU_READ | DFU_WRITE, NULL);

Another thing to consider with this solution is that any errors generated from a bad partition name or other mistake might be difficult to decipher. But without moving the descriptor into RAM, Im not sure of a better way to handle this. There might be better ways of using the FOR_EACH and other macros to make this cleaner but I couldnt come up with a different way.

Alternatively, a custom linker section/scripts could be used to setup the descriptors in memory from many different definitions like how device initialization works (I havent looked into this approach in detail).

[jfischer-no]

@jfischer-no If its supposed to be user configurable (in code rather than DTS), it gets a bit messy to do while still ensuring the descriptors end up in the readonly section and dont consume RAM; since the descriptors need to change based on what partitions the user selects. As I mentioned above, we can generate them all using macros (not complete):

Generally, all descriptors are placed in RAM because they are changed at runtime. This is how the stack works. Excuse me, but I do not see any urgent need to change anything in DFU implementation at the moment, especially to add new features, or change how we handle descriptors in current USB stack just because of new feature for DFU. I am in the process of reworking the USB device stack. The handling of the descriptors will change and the application will have more control over them, after that also the USB DFU implementation will be reworked and more abstracted.

[mrrosen]

@jfischer-no I didnt notice the descriptors were in RAM, so I apologize for that misunderstanding. The only urgency here was that this is a feature I need for my project (expanded access to other partitions via DFU), and thought it would be a nice feature to upstream in a generic way to enable anyone else who might need it (as well as fix the issues we found when trying to use DFU on Windows that were part of the original PR).

I can just use my original technique for my project and we can look at expanding this functionality with the new device stack later; so can close this PR.

[jfischer-no]

The only urgency here was that this is a feature I need for my project (expanded access to other partitions via DFU), and thought it would be a nice feature to upstream in a generic way to enable anyone else who might need it (as well as fix the issues we found when trying to use DFU on Windows that were part of the original PR).

@mrrosen Could you please open a feature request so that it does not get lost?
Thanks for the patch which fixed the problem on Windows OS.

[mrrosen]

The only urgency here was that this is a feature I need for my project (expanded access to other partitions via DFU), and thought it would be a nice feature to upstream in a generic way to enable anyone else who might need it (as well as fix the issues we found when trying to use DFU on Windows that were part of the original PR).

@mrrosen Could you please open a feature request so that it does not get lost?
Thanks for the patch which fixed the problem on Windows OS.

#32135

This feature can be now tracked here instead.